You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Weth deposited into LMPVaultRouter.sol can get stolen
Summary
When user calls mint or deposit with a specified msg.value, it is wrapped into weth. Now anyone can call unwrapWETH9 and withdraw the deposited eth in the contract.
Vulnerability Detail
Imagine Alice wants to mint some shares, she calls mint and deposits some eth along it.
function _processEthIn(ILMPVault vault) internal {
// if any eth sent, wrap it firstif (msg.value>0) {
// if asset is not weth, revertif (address(vault.asset()) !=address(weth9)) {
revertInvalidAsset();
}
// wrap eth
weth9.deposit{ value: msg.value }();
}
}
Now Bob can see the weth balance of this contract has increased, he immediately calls unwrapWETH9 to withdraw.
function unwrapWETH9(uint256amountMinimum, addressrecipient) publicpayable {
uint256 balanceWETH9 = weth9.balanceOf(address(this));
if (balanceWETH9 < amountMinimum) revertInsufficientWETH9();
if (balanceWETH9 >0) {
weth9.withdraw(balanceWETH9);
Address.sendValue(payable(recipient), balanceWETH9);
}
}
sherlock-admin
changed the title
Raspy Corduroy Wolf - Weth deposited into LMPVaultRouter.sol can get stolen
SaharDevep - Weth deposited into LMPVaultRouter.sol can get stolen
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
SaharDevep
high
Weth deposited into
LMPVaultRouter.sol
can get stolenSummary
When user calls mint or deposit with a specified
msg.value
, it is wrapped into weth. Now anyone can callunwrapWETH9
and withdraw the deposited eth in the contract.Vulnerability Detail
Imagine Alice wants to mint some shares, she calls
mint
and deposits some eth along it.Now Bob can see the weth balance of this contract has increased, he immediately calls
unwrapWETH9
to withdraw.Impact
Any Eth sent to the contract will be stolen.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L39
Tool used
Manual Review
Recommendation
add access control to
unwrapWETH9
Duplicate of #1
The text was updated successfully, but these errors were encountered: